Data Roulette

One problem information security officers often have is correctly evaluating the risk posed by poor data privacy practices. Often a “gaming” approach is taken where a manager keeps rolling the dice (a poor security strategy) in the belief that a winning streak will continue indefinitely. Nothing has gone wrong yet, therefore the corporate strategy must be sound, so -- “keep rolling”.

The flaw in the gaming approach comes from the false perception that a consistent security outcome represents a controlled security environment. Unfortunately, there is no such thing as a controlled security environment. The ability to keep data secure ultimately rests on the competence and good intentions of the people who come in contact with the data. While a particular security product or technology may be static, the human employees who constantly rotate within an organization represent a roulette wheel of ever changing personalities and behaviors. Background checks may identify some potential hires with criminal records, but checks and references are less reliable in identifying employees who are careless, indifferent or prone to vindictive behavior. Recognizing what little control an organization has over the behavior of its employee pool should help tilt an ISO's attention toward what can be controlled: the strength of the organization's technologies and procedures.